Signal Users Targeted in Coordinated Phishing Campaign to Steal Backup Recovery Keys
- May 30
- 3 min read
Key Findings
Attackers are conducting a coordinated phishing campaign targeting Signal users by impersonating Signal Support via text messages
The campaign specifically seeks backup recovery keys, which decrypt entire message archives stored on Signal's servers, not just future communications
Journalists, activists, and human rights workers are confirmed targets, with reports of campaigns against Chinese activists and German officials
A 64-character recovery key grants access to all encrypted message history if attackers can compromise the account
German prosecutors are investigating suspected state-sponsored Russian phishing operations that targeted politicians, ministers, military personnel, and diplomats, with hundreds of accounts potentially affected
The attack is simple to execute and easily reproducible, raising concerns about wider adoption once proven effective
Background
Signal's Secure Backups feature stores encrypted archives of user conversations on Signal's servers. The recovery key is the only mechanism that decrypts these archives. Critically, this key never leaves a user's device and Signal itself never possesses it. The phishing campaign exploits this architecture by deceiving users into voluntarily sharing their recovery keys through fake support messages.
What makes this attack particularly dangerous compared to typical account takeovers is scope. A standard account compromise gives attackers access to future messages only. With a recovery key, attackers gain access to the complete message history stored in backups, potentially years of sensitive communications.
Attack Mechanics
The phishing messages appear to come from Signal Support with a visible "Name not verified" label that users often miss. The messages create urgency by warning of imminent data loss due to sync issues and request users to locate their recovery key in Settings, copy it, and paste it directly into the chat.
The simplicity of the technique is both the strength and the weakness. No sophisticated technical exploitation is required. Victims are social engineered into revealing the key themselves. However, this simplicity means the method can be easily replicated and scaled by other threat actors once proven successful.
High-Value Targets
Journalists, activists, lawyers, and human rights workers represent premium targets for this type of attack. Unlike individuals with mundane message histories, these professionals often have years of sensitive communications involving sources, legal strategies, political discussions, and coordination of sensitive activities.
Reports indicate the campaign has already successfully targeted Chinese activists and German officials. In Germany, the operation targeted high-profile figures including politicians like Julia Klöckner, military personnel, diplomats, and journalists. One notable case involved a phishing attempt embedded in what appeared to be a legitimate group chat from a political party.
State-Sponsored Operations
German prosecutors launched a formal investigation into the phishing campaign targeting German officials, with early evidence suggesting state-sponsored involvement. The operation attempted to compromise Chancellor Friedrich Merz's account, though that specific attempt reportedly failed. Authorities estimate hundreds of accounts may have been affected by the coordinated effort.
The attacks used multiple social engineering vectors including messages impersonating official Signal support, requests for authentication codes, malicious QR codes, and crafted links designed to appear legitimate.
Defensive Measures
Signal will never contact users first or request recovery keys, registration codes, or PINs. Users should treat unsolicited support messages as suspicious and avoid clicking links in account-warning messages.
Protective steps include enabling registration locks, PIN protection, and device-change alerts. Using disappearing messages reduces exposure if an account is compromised. Scam-detection tools can help identify phishing attempts before damage occurs. Users should never share verification codes or authentication secrets under any circumstances.
Future Outlook
While current attacks appear targeted, cybersecurity researchers warn that targeted campaigns rarely remain limited once the technique proves effective. The straightforward mechanics make this attack easily reproducible by criminal and state-sponsored groups alike. If adoption spreads beyond current operators, the campaign could evolve into a widespread threat affecting millions of users across multiple countries and demographics.
Sources
https://securityaffairs.com/192899/security/signal-phishing-campaign-targets-journalists-and-activists-to-steal-backup-recovery-keys.html
https://aiweekly.co/alerts/signal-backup-keys-stolen-in-coordinated-phishing-wave
https://mezha.net/eng/bukvy/a1aa92eb_hackers_target_signal
https://cyberinsider.com/signal-users-targeted-by-attackers-seeking-backup-recovery-keys

Comments